@vyuhlabs/dxkit 0.8.2 → 0.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +24 -3
- package/dist/constants.d.ts +1 -1
- package/dist/constants.d.ts.map +1 -1
- package/dist/constants.js +1 -1
- package/dist/constants.js.map +1 -1
- package/package.json +1 -1
- package/templates/.claude/agents-available/dashboard-builder.md +433 -0
- package/templates/.claude/agents-available/vulnerability-scanner.md +120 -64
- package/templates/.claude/commands/dashboard.md +20 -0
- package/templates/CLAUDE.md.template +2 -0
package/README.md
CHANGED
|
@@ -138,15 +138,16 @@ These agents auto-trigger when Claude detects a matching question:
|
|
|
138
138
|
- **quality-reviewer** — "Review my changes" "Check quality before I commit"
|
|
139
139
|
- **doc-writer** — "What needs documentation?" "Help me write docs"
|
|
140
140
|
|
|
141
|
-
### Dormant (
|
|
141
|
+
### Dormant (10) — activate with `/enable-agent`
|
|
142
142
|
- **codebase-explorer** — Deep architecture analysis, generates documentation
|
|
143
143
|
- **code-reviewer** — PR review and security audit (read-only)
|
|
144
144
|
- **test-writer** — Writes tests for existing code
|
|
145
145
|
- **test-gap-finder** — Identifies critical untested code paths, prioritized by risk
|
|
146
146
|
- **dependency-mapper** — Maps import chains and blast radius of changes
|
|
147
147
|
- **health-auditor** — Comprehensive codebase health audit (scores 6 dimensions)
|
|
148
|
-
- **vulnerability-scanner** —
|
|
148
|
+
- **vulnerability-scanner** — CWE-classified security scan (Snyk-comparable depth)
|
|
149
149
|
- **dev-report** — Developer activity, quality patterns, security attribution
|
|
150
|
+
- **dashboard-builder** — Generates HTML dashboard from all reports
|
|
150
151
|
- **debugger** — Systematic root cause analysis
|
|
151
152
|
|
|
152
153
|
## Reports
|
|
@@ -163,7 +164,9 @@ All analysis commands save timestamped reports to `.ai/reports/`:
|
|
|
163
164
|
dependency-map-2026-03-30.md # Import chains, most-depended-on files
|
|
164
165
|
```
|
|
165
166
|
|
|
166
|
-
|
|
167
|
+
Export options:
|
|
168
|
+
- **HTML dashboard**: `/dashboard` — beautiful dark-themed dashboard with sidebar navigation
|
|
169
|
+
- **PDF**: `/export-pdf all` — converts all reports to PDF
|
|
167
170
|
|
|
168
171
|
## Learning System
|
|
169
172
|
|
|
@@ -186,6 +189,24 @@ DXKit generates a GitHub Action that automatically reviews PRs using Claude Code
|
|
|
186
189
|
|
|
187
190
|
Reviews appear as PR comments with issues rated as critical/warning/suggestion.
|
|
188
191
|
|
|
192
|
+
## Vulnerability Scanner (Snyk-Comparable)
|
|
193
|
+
|
|
194
|
+
The `/vulnerabilities` command runs a comprehensive security scan with CWE classification:
|
|
195
|
+
|
|
196
|
+
| Category | CWE | What It Checks |
|
|
197
|
+
|---|---|---|
|
|
198
|
+
| Command Injection | CWE-78 | `exec()`, `child_process`, unsanitized input |
|
|
199
|
+
| Decompression Bomb | CWE-409 | zlib/tar/decompress without size limits |
|
|
200
|
+
| Uncontrolled Recursion | CWE-674 | JSON/XML/YAML parsers without depth limits |
|
|
201
|
+
| Arbitrary File Upload | CWE-434 | multer/formidable/busboy without validation |
|
|
202
|
+
| Buffer Overflow | CWE-120 | Native modules (binding.gyp, .node files) |
|
|
203
|
+
| Resource Exhaustion | CWE-770 | Missing rate limits, body size limits, WebSocket payload |
|
|
204
|
+
| Hardcoded Secrets | CWE-798 | Passwords, API keys, tokens in source |
|
|
205
|
+
| Prototype Pollution | CWE-1321 | Via dependency audit CWE extraction |
|
|
206
|
+
| + 15 more CWE categories | | Parsed from `npm audit --json` CWE fields |
|
|
207
|
+
|
|
208
|
+
Reports include a **Findings by CWE Category** table for direct comparison with Snyk/Sonar output.
|
|
209
|
+
|
|
189
210
|
## Smart Detection
|
|
190
211
|
|
|
191
212
|
- **Test runner** — Detects Jest, Mocha, Vitest, Ava, Tap, pytest, go test from scripts and dependencies
|
package/dist/constants.d.ts
CHANGED
package/dist/constants.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAEzC,eAAO,MAAM,OAAO,
|
|
1
|
+
{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAEzC,eAAO,MAAM,OAAO,WAAW,CAAC;AAEhC,eAAO,MAAM,gBAAgB;;;;;;;;CAQ5B,CAAC;AAEF,eAAO,MAAM,gBAAgB,OAAO,CAAC;AAErC,yEAAyE;AACzE,eAAO,MAAM,cAAc,UAU1B,CAAC;AAEF,wBAAgB,cAAc,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAgC7E;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAuB/E"}
|
package/dist/constants.js
CHANGED
|
@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.EVOLVING_FILES = exports.DEFAULT_COVERAGE = exports.DEFAULT_VERSIONS = exports.VERSION = void 0;
|
|
4
4
|
exports.buildVariables = buildVariables;
|
|
5
5
|
exports.buildConditions = buildConditions;
|
|
6
|
-
exports.VERSION = '0.
|
|
6
|
+
exports.VERSION = '0.10.0';
|
|
7
7
|
exports.DEFAULT_VERSIONS = {
|
|
8
8
|
python: '3.12',
|
|
9
9
|
go: '1.24.0',
|
package/dist/constants.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";;;AA6BA,wCAgCC;AAED,0CAuBC;AApFY,QAAA,OAAO,GAAG,
|
|
1
|
+
{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";;;AA6BA,wCAgCC;AAED,0CAuBC;AApFY,QAAA,OAAO,GAAG,QAAQ,CAAC;AAEnB,QAAA,gBAAgB,GAAG;IAC9B,MAAM,EAAE,MAAM;IACd,EAAE,EAAE,QAAQ;IACZ,IAAI,EAAE,IAAI;IACV,IAAI,EAAE,QAAQ;IACd,MAAM,EAAE,KAAK;IACb,QAAQ,EAAE,IAAI;IACd,KAAK,EAAE,GAAG;CACX,CAAC;AAEW,QAAA,gBAAgB,GAAG,IAAI,CAAC;AAErC,yEAAyE;AAC5D,QAAA,cAAc,GAAG;IAC5B,8CAA8C;IAC9C,kDAAkD;IAClD,2DAA2D;IAC3D,8CAA8C;IAC9C,2CAA2C;IAC3C,6CAA6C;IAC7C,6CAA6C;IAC7C,kCAAkC;IAClC,oDAAoD;CACrD,CAAC;AAEF,SAAgB,cAAc,CAAC,MAAsB;IACnD,MAAM,CAAC,GAA2B;QAChC,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,kBAAkB,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;QACzD,kBAAkB,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;QACzD,mBAAmB,EAAE,MAAM,CAAC,kBAAkB,IAAI,WAAW;QAC7D,UAAU,EAAE,OAAO;QACnB,cAAc,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,IAAI,wBAAgB,CAAC,MAAM;QACjE,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE,IAAI,wBAAgB,CAAC,EAAE;QACrD,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI,IAAI,wBAAgB,CAAC,IAAI;QAC3D,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI,IAAI,wBAAgB,CAAC,IAAI;QAC3D,cAAc,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,IAAI,wBAAgB,CAAC,MAAM;QACjE,gBAAgB,EAAE,wBAAgB,CAAC,QAAQ;QAC3C,aAAa,EAAE,wBAAgB,CAAC,KAAK;QACrC,OAAO,EAAE,SAAS;QAClB,OAAO,EAAE,UAAU;QACnB,WAAW,EAAE,cAAc;QAC3B,kBAAkB,EAAE,MAAM,CAAC,iBAAiB,IAAI,wBAAgB;QAChE,YAAY,EAAE,MAAM,CAAC,UAAU,EAAE,OAAO,IAAI,UAAU;QACtD,cAAc,EAAE,MAAM,CAAC,UAAU,EAAE,SAAS,IAAI,SAAS;QACzD,qBAAqB,EAAE,MAAM,CAAC,UAAU,EAAE,eAAe,IAAI,EAAE;QAC/D,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,EAAE;KAClC,CAAC;IAEF,oBAAoB;IACpB,CAAC,CAAC,oBAAoB,GAAG,CAAC,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAG,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACxC,CAAC,CAAC,gBAAgB,GAAG,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IACxF,CAAC,CAAC,SAAS,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC;IAC/F,CAAC,CAAC,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC,cAAc,CAAC;IAExC,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAgB,eAAe,CAAC,MAAsB;IACpD,OAAO;QACL,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,MAAM;QAClC,KAAK,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE;QAC1B,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,IAAI,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM;QACzD,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,IAAI;QAC9B,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,MAAM;QAClC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,MAAM;QAClC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC,QAAQ;QAC3C,QAAQ,EAAE,MAAM,CAAC,cAAc,CAAC,KAAK;QACrC,eAAe,EAAE,MAAM,CAAC,cAAc,CAAC,QAAQ,IAAI,MAAM,CAAC,cAAc,CAAC,KAAK;QAC9E,SAAS,EAAE,MAAM,CAAC,cAAc,CAAC,MAAM;QACvC,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM;QAC9B,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM;QAC9B,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,SAAS;QACpC,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK;QAC7B,cAAc,EAAE,MAAM,CAAC,UAAU;QACjC,iBAAiB,EAAE,MAAM,CAAC,aAAa;QACvC,mBAAmB,EAAE,QAAQ,CAAC,MAAM,CAAC,iBAAiB,IAAI,wBAAgB,CAAC,GAAG,CAAC;QAC/E,YAAY,EAAE,MAAM,CAAC,SAAS;QAC9B,cAAc,EAAE,MAAM,CAAC,UAAU;QACjC,aAAa,EAAE,MAAM,CAAC,SAAS;KAChC,CAAC;AACJ,CAAC"}
|
package/package.json
CHANGED
|
@@ -0,0 +1,433 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: dashboard-builder
|
|
3
|
+
description: Generates a beautiful HTML dashboard from all reports in .ai/reports/. Use when asked to "build dashboard", "export reports", or "create report dashboard". Reads reports and generates a self-contained HTML file.
|
|
4
|
+
model: sonnet
|
|
5
|
+
tools: Read, Grep, Glob, Bash, Write
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
You are a dashboard builder. Your job is to create a beautiful, self-contained HTML dashboard that renders all markdown reports from `.ai/reports/`.
|
|
9
|
+
|
|
10
|
+
## Steps
|
|
11
|
+
|
|
12
|
+
1. **Find all reports**: Glob for `.ai/reports/*.md`
|
|
13
|
+
2. **Read each report**: Get the markdown content
|
|
14
|
+
3. **Detect project name**: From `CLAUDE.md`, `package.json`, or directory name
|
|
15
|
+
4. **Generate dashboard**: Create `.ai/reports/dashboard.html`
|
|
16
|
+
|
|
17
|
+
## Dashboard Design
|
|
18
|
+
|
|
19
|
+
The dashboard should be a **single self-contained HTML file** with:
|
|
20
|
+
- No external dependencies except CDN links for marked.js (markdown rendering)
|
|
21
|
+
- Dark theme with modern design (GitHub-dark inspired)
|
|
22
|
+
- Fully responsive
|
|
23
|
+
|
|
24
|
+
### Layout
|
|
25
|
+
- **Header**: Project name, VyuhLabs DXKit branding, generation date
|
|
26
|
+
- **Sidebar**: Report navigation grouped by type with icons
|
|
27
|
+
- **Main area**: Rendered markdown report with proper styling
|
|
28
|
+
- **Footer**: VyuhLabs DXKit branding
|
|
29
|
+
|
|
30
|
+
### Report Type Icons & Colors
|
|
31
|
+
Use these emoji/labels for report types:
|
|
32
|
+
- `health-audit` → "Health Audit" with green accent
|
|
33
|
+
- `vulnerability-scan` → "Vulnerability Scan" with red accent
|
|
34
|
+
- `developer-report` → "Developer Report" with blue accent
|
|
35
|
+
- `test-gaps` → "Test Gaps" with orange accent
|
|
36
|
+
- `docs-audit` → "Documentation" with purple accent
|
|
37
|
+
- `dependency-map` → "Dependencies" with cyan accent
|
|
38
|
+
|
|
39
|
+
### Design Requirements
|
|
40
|
+
- Smooth transitions when switching reports
|
|
41
|
+
- Table styling that's readable on dark backgrounds
|
|
42
|
+
- Code blocks with syntax highlighting colors
|
|
43
|
+
- Proper heading hierarchy
|
|
44
|
+
- Score badges for health reports (color-coded: red/yellow/green)
|
|
45
|
+
- Sticky sidebar on desktop, collapsible on mobile
|
|
46
|
+
- Print-friendly styles (@media print)
|
|
47
|
+
|
|
48
|
+
## HTML Template
|
|
49
|
+
|
|
50
|
+
Generate this exact structure (fill in REPORTS_DATA and PROJECT_NAME):
|
|
51
|
+
|
|
52
|
+
```html
|
|
53
|
+
<!DOCTYPE html>
|
|
54
|
+
<html lang="en">
|
|
55
|
+
<head>
|
|
56
|
+
<meta charset="UTF-8">
|
|
57
|
+
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
58
|
+
<title>PROJECT_NAME — DXKit Reports</title>
|
|
59
|
+
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
|
|
60
|
+
<style>
|
|
61
|
+
:root {
|
|
62
|
+
--bg-primary: #0d1117;
|
|
63
|
+
--bg-secondary: #161b22;
|
|
64
|
+
--bg-tertiary: #21262d;
|
|
65
|
+
--border: #30363d;
|
|
66
|
+
--text-primary: #f0f6fc;
|
|
67
|
+
--text-secondary: #c9d1d9;
|
|
68
|
+
--text-muted: #8b949e;
|
|
69
|
+
--accent-blue: #58a6ff;
|
|
70
|
+
--accent-green: #3fb950;
|
|
71
|
+
--accent-red: #f85149;
|
|
72
|
+
--accent-orange: #d29922;
|
|
73
|
+
--accent-purple: #bc8cff;
|
|
74
|
+
--accent-cyan: #39d2c0;
|
|
75
|
+
--sidebar-width: 300px;
|
|
76
|
+
}
|
|
77
|
+
|
|
78
|
+
* { margin: 0; padding: 0; box-sizing: border-box; }
|
|
79
|
+
|
|
80
|
+
body {
|
|
81
|
+
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', sans-serif;
|
|
82
|
+
background: var(--bg-primary);
|
|
83
|
+
color: var(--text-secondary);
|
|
84
|
+
display: flex;
|
|
85
|
+
height: 100vh;
|
|
86
|
+
overflow: hidden;
|
|
87
|
+
}
|
|
88
|
+
|
|
89
|
+
/* Sidebar */
|
|
90
|
+
.sidebar {
|
|
91
|
+
width: var(--sidebar-width);
|
|
92
|
+
background: var(--bg-secondary);
|
|
93
|
+
border-right: 1px solid var(--border);
|
|
94
|
+
display: flex;
|
|
95
|
+
flex-direction: column;
|
|
96
|
+
flex-shrink: 0;
|
|
97
|
+
overflow: hidden;
|
|
98
|
+
}
|
|
99
|
+
|
|
100
|
+
.sidebar-header {
|
|
101
|
+
padding: 20px;
|
|
102
|
+
border-bottom: 1px solid var(--border);
|
|
103
|
+
}
|
|
104
|
+
|
|
105
|
+
.sidebar-header h1 {
|
|
106
|
+
font-size: 18px;
|
|
107
|
+
color: var(--text-primary);
|
|
108
|
+
font-weight: 600;
|
|
109
|
+
}
|
|
110
|
+
|
|
111
|
+
.sidebar-header .project-name {
|
|
112
|
+
font-size: 13px;
|
|
113
|
+
color: var(--accent-blue);
|
|
114
|
+
margin-top: 4px;
|
|
115
|
+
}
|
|
116
|
+
|
|
117
|
+
.sidebar-header .generated {
|
|
118
|
+
font-size: 11px;
|
|
119
|
+
color: var(--text-muted);
|
|
120
|
+
margin-top: 2px;
|
|
121
|
+
}
|
|
122
|
+
|
|
123
|
+
.sidebar-nav {
|
|
124
|
+
flex: 1;
|
|
125
|
+
overflow-y: auto;
|
|
126
|
+
padding: 12px;
|
|
127
|
+
}
|
|
128
|
+
|
|
129
|
+
.report-group {
|
|
130
|
+
margin-bottom: 16px;
|
|
131
|
+
}
|
|
132
|
+
|
|
133
|
+
.report-group-title {
|
|
134
|
+
font-size: 11px;
|
|
135
|
+
text-transform: uppercase;
|
|
136
|
+
letter-spacing: 0.8px;
|
|
137
|
+
color: var(--text-muted);
|
|
138
|
+
padding: 4px 8px;
|
|
139
|
+
margin-bottom: 4px;
|
|
140
|
+
display: flex;
|
|
141
|
+
align-items: center;
|
|
142
|
+
gap: 6px;
|
|
143
|
+
}
|
|
144
|
+
|
|
145
|
+
.report-group-title .dot {
|
|
146
|
+
width: 8px;
|
|
147
|
+
height: 8px;
|
|
148
|
+
border-radius: 50%;
|
|
149
|
+
flex-shrink: 0;
|
|
150
|
+
}
|
|
151
|
+
|
|
152
|
+
.report-btn {
|
|
153
|
+
display: block;
|
|
154
|
+
width: 100%;
|
|
155
|
+
text-align: left;
|
|
156
|
+
background: none;
|
|
157
|
+
border: none;
|
|
158
|
+
color: var(--text-secondary);
|
|
159
|
+
padding: 8px 12px;
|
|
160
|
+
border-radius: 8px;
|
|
161
|
+
cursor: pointer;
|
|
162
|
+
font-size: 13px;
|
|
163
|
+
margin-bottom: 2px;
|
|
164
|
+
transition: all 0.15s ease;
|
|
165
|
+
font-family: inherit;
|
|
166
|
+
}
|
|
167
|
+
|
|
168
|
+
.report-btn:hover {
|
|
169
|
+
background: var(--bg-tertiary);
|
|
170
|
+
}
|
|
171
|
+
|
|
172
|
+
.report-btn.active {
|
|
173
|
+
background: var(--accent-blue);
|
|
174
|
+
color: white;
|
|
175
|
+
font-weight: 500;
|
|
176
|
+
}
|
|
177
|
+
|
|
178
|
+
.report-btn .date {
|
|
179
|
+
font-size: 11px;
|
|
180
|
+
color: var(--text-muted);
|
|
181
|
+
display: block;
|
|
182
|
+
margin-top: 2px;
|
|
183
|
+
}
|
|
184
|
+
|
|
185
|
+
.report-btn.active .date {
|
|
186
|
+
color: rgba(255,255,255,0.7);
|
|
187
|
+
}
|
|
188
|
+
|
|
189
|
+
.sidebar-footer {
|
|
190
|
+
padding: 16px 20px;
|
|
191
|
+
border-top: 1px solid var(--border);
|
|
192
|
+
font-size: 11px;
|
|
193
|
+
color: var(--text-muted);
|
|
194
|
+
}
|
|
195
|
+
|
|
196
|
+
.sidebar-footer a {
|
|
197
|
+
color: var(--accent-blue);
|
|
198
|
+
text-decoration: none;
|
|
199
|
+
}
|
|
200
|
+
|
|
201
|
+
/* Main content */
|
|
202
|
+
.main {
|
|
203
|
+
flex: 1;
|
|
204
|
+
overflow-y: auto;
|
|
205
|
+
padding: 40px;
|
|
206
|
+
}
|
|
207
|
+
|
|
208
|
+
.main-inner {
|
|
209
|
+
max-width: 860px;
|
|
210
|
+
margin: 0 auto;
|
|
211
|
+
}
|
|
212
|
+
|
|
213
|
+
.empty-state {
|
|
214
|
+
text-align: center;
|
|
215
|
+
color: var(--text-muted);
|
|
216
|
+
margin-top: 30vh;
|
|
217
|
+
}
|
|
218
|
+
|
|
219
|
+
.empty-state h2 {
|
|
220
|
+
font-size: 20px;
|
|
221
|
+
margin-bottom: 8px;
|
|
222
|
+
color: var(--text-secondary);
|
|
223
|
+
}
|
|
224
|
+
|
|
225
|
+
/* Markdown rendering */
|
|
226
|
+
.main-inner h1 { font-size: 28px; color: var(--text-primary); border-bottom: 1px solid var(--border); padding-bottom: 12px; margin-bottom: 20px; }
|
|
227
|
+
.main-inner h2 { font-size: 22px; color: var(--text-primary); margin-top: 32px; margin-bottom: 12px; padding-bottom: 8px; border-bottom: 1px solid var(--border); }
|
|
228
|
+
.main-inner h3 { font-size: 17px; color: var(--text-primary); margin-top: 24px; margin-bottom: 8px; }
|
|
229
|
+
.main-inner h4 { font-size: 15px; color: var(--text-primary); margin-top: 16px; margin-bottom: 6px; }
|
|
230
|
+
.main-inner p { line-height: 1.7; margin-bottom: 14px; }
|
|
231
|
+
.main-inner a { color: var(--accent-blue); text-decoration: none; }
|
|
232
|
+
.main-inner a:hover { text-decoration: underline; }
|
|
233
|
+
.main-inner strong { color: var(--text-primary); }
|
|
234
|
+
.main-inner em { color: var(--text-muted); }
|
|
235
|
+
|
|
236
|
+
.main-inner ul, .main-inner ol { padding-left: 24px; margin-bottom: 14px; }
|
|
237
|
+
.main-inner li { margin-bottom: 6px; line-height: 1.6; }
|
|
238
|
+
.main-inner li::marker { color: var(--text-muted); }
|
|
239
|
+
|
|
240
|
+
.main-inner table { border-collapse: collapse; width: 100%; margin-bottom: 20px; font-size: 14px; }
|
|
241
|
+
.main-inner th { background: var(--bg-secondary); color: var(--text-primary); font-weight: 600; text-align: left; padding: 10px 14px; border: 1px solid var(--border); }
|
|
242
|
+
.main-inner td { padding: 10px 14px; border: 1px solid var(--border); }
|
|
243
|
+
.main-inner tr:hover td { background: rgba(56, 139, 253, 0.04); }
|
|
244
|
+
|
|
245
|
+
.main-inner code {
|
|
246
|
+
background: var(--bg-secondary);
|
|
247
|
+
padding: 2px 7px;
|
|
248
|
+
border-radius: 5px;
|
|
249
|
+
font-size: 13px;
|
|
250
|
+
font-family: 'SF Mono', 'Fira Code', 'Cascadia Code', monospace;
|
|
251
|
+
color: var(--accent-blue);
|
|
252
|
+
}
|
|
253
|
+
|
|
254
|
+
.main-inner pre {
|
|
255
|
+
background: var(--bg-secondary);
|
|
256
|
+
padding: 18px;
|
|
257
|
+
border-radius: 10px;
|
|
258
|
+
overflow-x: auto;
|
|
259
|
+
margin-bottom: 18px;
|
|
260
|
+
border: 1px solid var(--border);
|
|
261
|
+
}
|
|
262
|
+
|
|
263
|
+
.main-inner pre code {
|
|
264
|
+
background: none;
|
|
265
|
+
padding: 0;
|
|
266
|
+
color: var(--text-secondary);
|
|
267
|
+
font-size: 13px;
|
|
268
|
+
line-height: 1.5;
|
|
269
|
+
}
|
|
270
|
+
|
|
271
|
+
.main-inner blockquote {
|
|
272
|
+
border-left: 3px solid var(--accent-blue);
|
|
273
|
+
padding: 8px 16px;
|
|
274
|
+
color: var(--text-muted);
|
|
275
|
+
margin-bottom: 14px;
|
|
276
|
+
background: rgba(56, 139, 253, 0.04);
|
|
277
|
+
border-radius: 0 6px 6px 0;
|
|
278
|
+
}
|
|
279
|
+
|
|
280
|
+
.main-inner hr {
|
|
281
|
+
border: none;
|
|
282
|
+
border-top: 1px solid var(--border);
|
|
283
|
+
margin: 28px 0;
|
|
284
|
+
}
|
|
285
|
+
|
|
286
|
+
.main-inner img { max-width: 100%; border-radius: 8px; }
|
|
287
|
+
|
|
288
|
+
/* Mobile */
|
|
289
|
+
.mobile-toggle {
|
|
290
|
+
display: none;
|
|
291
|
+
position: fixed;
|
|
292
|
+
top: 12px;
|
|
293
|
+
left: 12px;
|
|
294
|
+
z-index: 100;
|
|
295
|
+
background: var(--bg-secondary);
|
|
296
|
+
border: 1px solid var(--border);
|
|
297
|
+
color: var(--text-primary);
|
|
298
|
+
padding: 8px 12px;
|
|
299
|
+
border-radius: 8px;
|
|
300
|
+
cursor: pointer;
|
|
301
|
+
font-size: 14px;
|
|
302
|
+
}
|
|
303
|
+
|
|
304
|
+
@media (max-width: 768px) {
|
|
305
|
+
.sidebar { position: fixed; left: -300px; z-index: 50; height: 100vh; transition: left 0.3s ease; }
|
|
306
|
+
.sidebar.open { left: 0; box-shadow: 4px 0 20px rgba(0,0,0,0.5); }
|
|
307
|
+
.mobile-toggle { display: block; }
|
|
308
|
+
.main { padding: 20px; padding-top: 56px; }
|
|
309
|
+
}
|
|
310
|
+
|
|
311
|
+
/* Print */
|
|
312
|
+
@media print {
|
|
313
|
+
body { background: white; color: #1a1a1a; }
|
|
314
|
+
.sidebar, .mobile-toggle { display: none; }
|
|
315
|
+
.main { padding: 20px; }
|
|
316
|
+
.main-inner h1, .main-inner h2, .main-inner h3 { color: #1a1a1a; }
|
|
317
|
+
.main-inner code { background: #f0f0f0; color: #1a1a1a; }
|
|
318
|
+
.main-inner pre { background: #f6f6f6; border-color: #ddd; }
|
|
319
|
+
.main-inner th { background: #f0f0f0; }
|
|
320
|
+
.main-inner td, .main-inner th { border-color: #ddd; }
|
|
321
|
+
}
|
|
322
|
+
|
|
323
|
+
/* Scrollbar */
|
|
324
|
+
::-webkit-scrollbar { width: 8px; }
|
|
325
|
+
::-webkit-scrollbar-track { background: transparent; }
|
|
326
|
+
::-webkit-scrollbar-thumb { background: var(--bg-tertiary); border-radius: 4px; }
|
|
327
|
+
::-webkit-scrollbar-thumb:hover { background: var(--border); }
|
|
328
|
+
|
|
329
|
+
/* Animations */
|
|
330
|
+
.main-inner { animation: fadeIn 0.2s ease; }
|
|
331
|
+
@keyframes fadeIn { from { opacity: 0; transform: translateY(8px); } to { opacity: 1; transform: translateY(0); } }
|
|
332
|
+
</style>
|
|
333
|
+
</head>
|
|
334
|
+
<body>
|
|
335
|
+
<button class="mobile-toggle" onclick="document.querySelector('.sidebar').classList.toggle('open')">Menu</button>
|
|
336
|
+
|
|
337
|
+
<div class="sidebar">
|
|
338
|
+
<div class="sidebar-header">
|
|
339
|
+
<h1>DXKit Reports</h1>
|
|
340
|
+
<div class="project-name">PROJECT_NAME</div>
|
|
341
|
+
<div class="generated">Generated GENERATION_DATE</div>
|
|
342
|
+
</div>
|
|
343
|
+
<div class="sidebar-nav" id="nav"></div>
|
|
344
|
+
<div class="sidebar-footer">
|
|
345
|
+
Powered by <a href="https://www.npmjs.com/package/@vyuhlabs/dxkit" target="_blank">VyuhLabs DXKit</a>
|
|
346
|
+
</div>
|
|
347
|
+
</div>
|
|
348
|
+
|
|
349
|
+
<div class="main">
|
|
350
|
+
<div class="main-inner" id="content">
|
|
351
|
+
<div class="empty-state">
|
|
352
|
+
<h2>Select a report</h2>
|
|
353
|
+
<p>Choose a report from the sidebar to view it</p>
|
|
354
|
+
</div>
|
|
355
|
+
</div>
|
|
356
|
+
</div>
|
|
357
|
+
|
|
358
|
+
<script>
|
|
359
|
+
const reports = REPORTS_JSON;
|
|
360
|
+
|
|
361
|
+
const typeConfig = {
|
|
362
|
+
'health-audit': { label: 'Health Audit', color: '#3fb950' },
|
|
363
|
+
'vulnerability-scan': { label: 'Vulnerability Scan', color: '#f85149' },
|
|
364
|
+
'developer-report': { label: 'Developer Report', color: '#58a6ff' },
|
|
365
|
+
'test-gaps': { label: 'Test Gaps', color: '#d29922' },
|
|
366
|
+
'docs-audit': { label: 'Documentation', color: '#bc8cff' },
|
|
367
|
+
'dependency-map': { label: 'Dependencies', color: '#39d2c0' },
|
|
368
|
+
};
|
|
369
|
+
|
|
370
|
+
const nav = document.getElementById('nav');
|
|
371
|
+
const content = document.getElementById('content');
|
|
372
|
+
|
|
373
|
+
// Group reports by type
|
|
374
|
+
const groups = {};
|
|
375
|
+
Object.keys(reports).forEach(name => {
|
|
376
|
+
const type = name.replace(/-\d{4}-\d{2}-\d{2}$/, '');
|
|
377
|
+
if (!groups[type]) groups[type] = [];
|
|
378
|
+
groups[type].push(name);
|
|
379
|
+
});
|
|
380
|
+
|
|
381
|
+
// Build navigation
|
|
382
|
+
Object.entries(groups).forEach(([type, names]) => {
|
|
383
|
+
const cfg = typeConfig[type] || { label: type.replace(/-/g, ' '), color: '#8b949e' };
|
|
384
|
+
const group = document.createElement('div');
|
|
385
|
+
group.className = 'report-group';
|
|
386
|
+
group.innerHTML = '<div class="report-group-title"><span class="dot" style="background:' + cfg.color + '"></span>' + cfg.label + '</div>';
|
|
387
|
+
|
|
388
|
+
names.sort().reverse().forEach(name => {
|
|
389
|
+
const dateMatch = name.match(/(\d{4}-\d{2}-\d{2})$/);
|
|
390
|
+
const date = dateMatch ? dateMatch[1] : '';
|
|
391
|
+
const btn = document.createElement('button');
|
|
392
|
+
btn.className = 'report-btn';
|
|
393
|
+
btn.innerHTML = cfg.label + (date ? '<span class="date">' + date + '</span>' : '');
|
|
394
|
+
btn.onclick = () => {
|
|
395
|
+
document.querySelectorAll('.report-btn').forEach(b => b.classList.remove('active'));
|
|
396
|
+
btn.classList.add('active');
|
|
397
|
+
content.innerHTML = '<div class="main-inner" style="animation:fadeIn 0.2s ease">' + marked.parse(reports[name]) + '</div>';
|
|
398
|
+
// Close mobile sidebar
|
|
399
|
+
document.querySelector('.sidebar').classList.remove('open');
|
|
400
|
+
};
|
|
401
|
+
group.appendChild(btn);
|
|
402
|
+
});
|
|
403
|
+
nav.appendChild(group);
|
|
404
|
+
});
|
|
405
|
+
|
|
406
|
+
// Auto-select first report
|
|
407
|
+
const firstBtn = nav.querySelector('.report-btn');
|
|
408
|
+
if (firstBtn) firstBtn.click();
|
|
409
|
+
</script>
|
|
410
|
+
</body>
|
|
411
|
+
</html>
|
|
412
|
+
```
|
|
413
|
+
|
|
414
|
+
## Building the REPORTS_JSON
|
|
415
|
+
|
|
416
|
+
For each `.md` file in `.ai/reports/`:
|
|
417
|
+
1. Read the file content
|
|
418
|
+
2. Escape for JavaScript: replace `\` with `\\`, backticks with `\`+backtick, `${` with `\${`, and `</script>` with `<\/script>`
|
|
419
|
+
3. Build a JSON object: `{ "filename-without-ext": "escaped markdown content" }`
|
|
420
|
+
|
|
421
|
+
Replace `PROJECT_NAME` with the project name.
|
|
422
|
+
Replace `GENERATION_DATE` with today's date.
|
|
423
|
+
Replace `REPORTS_JSON` with the JSON object.
|
|
424
|
+
|
|
425
|
+
## After Generation
|
|
426
|
+
|
|
427
|
+
Tell the user:
|
|
428
|
+
- Dashboard saved to `.ai/reports/dashboard.html`
|
|
429
|
+
- Open it in a browser: `open .ai/reports/dashboard.html` (macOS) or `xdg-open .ai/reports/dashboard.html` (Linux)
|
|
430
|
+
- Print to PDF from the browser for a shareable document
|
|
431
|
+
|
|
432
|
+
---
|
|
433
|
+
*Generated by [VyuhLabs DXKit](https://www.npmjs.com/package/@vyuhlabs/dxkit) dashboard-builder agent*
|
|
@@ -1,74 +1,112 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: vulnerability-scanner
|
|
3
|
-
description:
|
|
3
|
+
description: Comprehensive security vulnerability scanner — dependencies (with CWE classification), code patterns, file uploads, decompression bombs, recursion depth, native modules, resource limits. Use when asked about vulnerabilities, "is this secure?", "audit dependencies", or "security scan". Saves report to .ai/reports/.
|
|
4
4
|
model: sonnet
|
|
5
5
|
tools: Read, Grep, Glob, Bash, Write
|
|
6
6
|
---
|
|
7
7
|
|
|
8
|
-
You are a security vulnerability analyst. Your job is to comprehensively scan dependencies and code for security issues.
|
|
9
|
-
|
|
10
|
-
##
|
|
11
|
-
|
|
12
|
-
###
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
8
|
+
You are a security vulnerability analyst. Your job is to comprehensively scan dependencies and code for security issues, classify findings by CWE, and produce an actionable report.
|
|
9
|
+
|
|
10
|
+
## Phase 1: Dependency Vulnerabilities with CWE Classification
|
|
11
|
+
|
|
12
|
+
### Node.js
|
|
13
|
+
Run `npm audit --json 2>/dev/null` and parse the full output:
|
|
14
|
+
1. Extract severity counts (critical/high/medium/low)
|
|
15
|
+
2. **Extract CWE fields** from each advisory's `via` entries (skip string entries — those are transitive refs)
|
|
16
|
+
3. Group findings by CWE category using this mapping:
|
|
17
|
+
|
|
18
|
+
| CWE | Name |
|
|
19
|
+
|-----|------|
|
|
20
|
+
| CWE-22 | Directory Traversal |
|
|
21
|
+
| CWE-78 | Command Injection |
|
|
22
|
+
| CWE-94 | Arbitrary Code Injection |
|
|
23
|
+
| CWE-120 | Buffer Overflow |
|
|
24
|
+
| CWE-248 | Uncaught Exception |
|
|
25
|
+
| CWE-352 | Cross-Site Request Forgery |
|
|
26
|
+
| CWE-400 | Uncontrolled Resource Consumption |
|
|
27
|
+
| CWE-407 | Inefficient Algorithmic Complexity |
|
|
28
|
+
| CWE-409 | Decompression Bomb |
|
|
29
|
+
| CWE-434 | Arbitrary File Upload |
|
|
30
|
+
| CWE-674 | Uncontrolled Recursion |
|
|
31
|
+
| CWE-770 | Allocation Without Limits |
|
|
32
|
+
| CWE-772 | Missing Resource Release |
|
|
33
|
+
| CWE-835 | Infinite Loop |
|
|
34
|
+
| CWE-918 | Server-Side Request Forgery |
|
|
35
|
+
| CWE-1321 | Prototype Pollution |
|
|
36
|
+
| CWE-1333 | ReDoS |
|
|
37
|
+
|
|
38
|
+
Also run `npm outdated --json 2>/dev/null` for outdated packages.
|
|
39
|
+
|
|
40
|
+
### Python
|
|
22
41
|
- Run `pip audit 2>/dev/null` or `safety check 2>/dev/null` if available
|
|
23
|
-
-
|
|
24
|
-
- Check for known vulnerable packages (pyyaml, requests, pillow older versions)
|
|
25
|
-
|
|
26
|
-
**Go:**
|
|
27
|
-
- Run `govulncheck ./... 2>/dev/null` if available
|
|
28
|
-
- Read `go.sum` for dependency count
|
|
42
|
+
- Check for pinned vs unpinned versions in `requirements.txt` / `pyproject.toml`
|
|
29
43
|
|
|
30
|
-
|
|
31
|
-
- Run `cargo audit 2>/dev/null`
|
|
44
|
+
### Go / Rust / C#
|
|
45
|
+
- Run `govulncheck ./... 2>/dev/null`, `cargo audit 2>/dev/null`, `dotnet list package --vulnerable 2>/dev/null`
|
|
32
46
|
|
|
33
|
-
|
|
34
|
-
- Run `dotnet list package --vulnerable 2>/dev/null` if available
|
|
47
|
+
## Phase 2: Code-Level Vulnerability Scan
|
|
35
48
|
|
|
36
|
-
###
|
|
49
|
+
### Injection (CWE-78, CWE-89, CWE-79)
|
|
50
|
+
- **Command injection**: `exec(`, `child_process`, `os.system(`, `subprocess.call(` — flag if input could be user-controlled
|
|
51
|
+
- **SQL injection**: string concatenation in queries, template literals with user input
|
|
52
|
+
- **XSS**: `dangerouslySetInnerHTML`, `v-html`, unescaped output in templates
|
|
37
53
|
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
**Injection:**
|
|
41
|
-
- SQL: string concatenation in queries (`"SELECT.*" +`, template literals with user input)
|
|
42
|
-
- Command injection: `exec(`, `child_process`, `os.system(`, `subprocess.call(` with unsanitized input
|
|
43
|
-
- XSS: `dangerouslySetInnerHTML`, `v-html`, unescaped output
|
|
44
|
-
|
|
45
|
-
**Authentication & Authorization:**
|
|
54
|
+
### Authentication & Secrets (CWE-798, CWE-327)
|
|
46
55
|
- Hardcoded secrets: `password\s*=\s*['"]`, `apiKey`, `secret\s*=`, `token\s*=\s*['"]`
|
|
47
56
|
- Weak crypto: `md5`, `sha1` for passwords, `Math.random` for tokens
|
|
48
57
|
- JWT issues: `algorithm.*none`, missing expiry, hardcoded signing keys
|
|
49
58
|
|
|
50
|
-
|
|
59
|
+
### Decompression Bomb (CWE-409)
|
|
60
|
+
- `zlib.createGunzip()`, `createInflate()`, `createUnzip()` — flag if no `maxOutputLength`
|
|
61
|
+
- `tar.extract()`, `tar.x()` — flag if no `maxReadSize` or size filter
|
|
62
|
+
- `require('decompress')`, `require('unzipper')`, `require('adm-zip')` — flag on user-uploaded files
|
|
63
|
+
- `express.json()`, `bodyParser.json()` — flag if no `limit` option
|
|
64
|
+
|
|
65
|
+
### Uncontrolled Recursion (CWE-674)
|
|
66
|
+
- `JSON.parse(` on user input without depth validation
|
|
67
|
+
- XML parsers (`fast-xml-parser`, `xml2js`, `@xmldom/xmldom`) — flag if no `maxDepth`
|
|
68
|
+
- `yaml.load()` instead of `yaml.safeLoad()`, no schema restriction
|
|
69
|
+
- Custom recursive functions processing user data without depth guards
|
|
70
|
+
|
|
71
|
+
### Arbitrary File Upload (CWE-434)
|
|
72
|
+
- `multer` — flag if no `fileFilter`, no `limits.fileSize`, storage in web-accessible dir
|
|
73
|
+
- `formidable` — flag if no `maxFileSize`, no type validation
|
|
74
|
+
- `busboy` — flag if no `limits` option
|
|
75
|
+
- `fs.writeFile`/`createWriteStream` with user-controlled path — flag if no extension/MIME validation
|
|
76
|
+
|
|
77
|
+
### Resource Allocation Without Limits (CWE-770)
|
|
78
|
+
- No rate limiting middleware (`express-rate-limit`, `RateLimiter`)
|
|
79
|
+
- `express.json()`/`bodyParser` without `limit` option
|
|
80
|
+
- WebSocket without `maxPayload`: `socket.on('message'`, `ws.on('message'`
|
|
81
|
+
- Database queries without `.limit()` or pagination on user-facing endpoints
|
|
82
|
+
|
|
83
|
+
### Data Exposure
|
|
51
84
|
- Sensitive data in logs: `console.log.*password`, `print.*secret`
|
|
52
|
-
- Debug mode
|
|
53
|
-
- Exposed stack traces
|
|
85
|
+
- Debug mode: `DEBUG=true`, `debug: true` in production config
|
|
86
|
+
- Exposed stack traces in error handlers
|
|
87
|
+
- CORS wildcard: `Access-Control-Allow-Origin: *`
|
|
88
|
+
|
|
89
|
+
## Phase 3: Native Module Audit (CWE-120)
|
|
54
90
|
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
-
|
|
91
|
+
Run these checks:
|
|
92
|
+
```bash
|
|
93
|
+
find node_modules -name "*.node" -type f 2>/dev/null | head -20
|
|
94
|
+
find node_modules -name "binding.gyp" -maxdepth 3 2>/dev/null | head -20
|
|
95
|
+
```
|
|
96
|
+
|
|
97
|
+
Known native packages with historical buffer overflow CVEs:
|
|
98
|
+
- `sharp` (libvips), `bcrypt` (OpenSSL), `node-canvas` (cairo), `sqlite3`, `grpc`, `bufferutil`
|
|
58
99
|
|
|
59
|
-
|
|
60
|
-
- CORS: `Access-Control-Allow-Origin: *`
|
|
61
|
-
- Missing security headers (CSP, HSTS, X-Frame-Options)
|
|
62
|
-
- HTTP instead of HTTPS in URLs
|
|
100
|
+
Flag native modules not covered by npm audit for manual review.
|
|
63
101
|
|
|
64
|
-
|
|
102
|
+
## Phase 4: Dependency Chain Risk
|
|
65
103
|
|
|
66
104
|
- Count total dependencies (direct + transitive)
|
|
67
|
-
- Identify
|
|
68
|
-
- Check for abandoned packages (no
|
|
69
|
-
-
|
|
105
|
+
- Identify largest dependency trees (supply chain risk)
|
|
106
|
+
- Check for abandoned packages (>2yr no update)
|
|
107
|
+
- Count native modules in tree
|
|
70
108
|
|
|
71
|
-
|
|
109
|
+
## Phase 5: Generate Report
|
|
72
110
|
|
|
73
111
|
Save to `.ai/reports/vulnerability-scan-YYYY-MM-DD.md`:
|
|
74
112
|
|
|
@@ -76,25 +114,43 @@ Save to `.ai/reports/vulnerability-scan-YYYY-MM-DD.md`:
|
|
|
76
114
|
## Vulnerability Scan Report
|
|
77
115
|
|
|
78
116
|
### Summary
|
|
79
|
-
| Severity |
|
|
80
|
-
|
|
81
|
-
| Critical | X |
|
|
82
|
-
| High | X |
|
|
83
|
-
| Medium | X |
|
|
84
|
-
| Low | X |
|
|
117
|
+
| Severity | Dependency Issues | Code Issues | Total |
|
|
118
|
+
|----------|------------------|-------------|-------|
|
|
119
|
+
| Critical | X | X | X |
|
|
120
|
+
| High | X | X | X |
|
|
121
|
+
| Medium | X | X | X |
|
|
122
|
+
| Low | X | X | X |
|
|
123
|
+
|
|
124
|
+
### Findings by CWE Category
|
|
125
|
+
| CWE | Category | Dep. Issues | Code Issues | Severity |
|
|
126
|
+
|-----|----------|-------------|-------------|----------|
|
|
127
|
+
| CWE-78 | Command Injection | 0 | 2 | Critical |
|
|
128
|
+
| CWE-770 | Allocation Without Limits | 4 | 1 | High |
|
|
129
|
+
| CWE-835 | Infinite Loop | 2 | 0 | High |
|
|
130
|
+
| CWE-409 | Decompression Bomb | 0 | 1 | High |
|
|
131
|
+
| CWE-674 | Uncontrolled Recursion | 1 | 0 | Medium |
|
|
132
|
+
| CWE-434 | Arbitrary File Upload | 0 | 1 | Medium |
|
|
85
133
|
|
|
86
134
|
### Dependency Vulnerabilities
|
|
87
|
-
| Package | Severity | Description | Fix |
|
|
88
|
-
|
|
89
|
-
|
|
|
135
|
+
| Package | Severity | CWE | Description | Fix |
|
|
136
|
+
|---------|----------|-----|-------------|-----|
|
|
137
|
+
| tar@6.1.11 | High | CWE-409 | Decompression bomb | Upgrade to 6.2.0 |
|
|
90
138
|
|
|
91
139
|
### Code Vulnerabilities
|
|
92
|
-
| File:Line | Severity | Type | Description |
|
|
93
|
-
|
|
94
|
-
| src/auth.ts:42 | Critical | Hardcoded secret | JWT key in source |
|
|
140
|
+
| File:Line | Severity | CWE | Type | Description |
|
|
141
|
+
|-----------|----------|-----|------|-------------|
|
|
142
|
+
| src/auth.ts:42 | Critical | CWE-798 | Hardcoded secret | JWT key in source |
|
|
143
|
+
| src/upload.ts:10 | High | CWE-434 | File upload | multer without fileFilter |
|
|
144
|
+
|
|
145
|
+
### Native Modules
|
|
146
|
+
| Package | Type | Has Advisories | Notes |
|
|
147
|
+
|---------|------|----------------|-------|
|
|
148
|
+
| sharp@0.32.1 | binding.gyp | Yes (2 high) | Image processing |
|
|
149
|
+
| bcrypt@5.1.0 | binding.gyp | No | Manual review recommended |
|
|
95
150
|
|
|
96
151
|
### Dependency Health
|
|
97
152
|
- Total dependencies: X (direct: Y, transitive: Z)
|
|
153
|
+
- Native modules: X
|
|
98
154
|
- Outdated: X packages
|
|
99
155
|
- Abandoned (>2yr no update): X packages
|
|
100
156
|
|
|
@@ -108,10 +164,10 @@ Save to `.ai/reports/vulnerability-scan-YYYY-MM-DD.md`:
|
|
|
108
164
|
|
|
109
165
|
## Rules
|
|
110
166
|
|
|
111
|
-
- **Run real tools** — don't guess, run `npm audit`, `pip audit`, etc.
|
|
112
|
-
- **
|
|
167
|
+
- **Run real tools** — don't guess, run `npm audit --json`, `pip audit`, etc.
|
|
168
|
+
- **Classify by CWE** — every finding should have a CWE number
|
|
169
|
+
- **Be specific** — exact package versions, file:line references, CVE/GHSA numbers
|
|
113
170
|
- **Prioritize by exploitability** — a reachable RCE is worse than a theoretical DoS
|
|
114
171
|
- **Include fix instructions** — "upgrade X to Y" or "replace pattern A with B"
|
|
115
172
|
- **Never output actual secret values** — say "hardcoded secret found at file:line", don't print it
|
|
116
173
|
- Save the report to `.ai/reports/vulnerability-scan-YYYY-MM-DD.md`
|
|
117
|
-
- **Always end the report with:** `---` followed by `*Generated by [VyuhLabs DXKit](https://www.npmjs.com/package/@vyuhlabs/dxkit) vulnerability-scanner agent*`
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
---
|
|
2
|
+
description: Generate a beautiful HTML dashboard from all reports
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
Delegate to the **dashboard-builder** agent. It will read all reports from `.ai/reports/` and generate a self-contained HTML dashboard at `.ai/reports/dashboard.html`.
|
|
6
|
+
|
|
7
|
+
The dashboard features:
|
|
8
|
+
- Dark theme with modern design
|
|
9
|
+
- Sidebar navigation grouped by report type with color-coded indicators
|
|
10
|
+
- Full markdown rendering with styled tables, code blocks, and headings
|
|
11
|
+
- Responsive layout (works on mobile)
|
|
12
|
+
- Print-friendly styles
|
|
13
|
+
|
|
14
|
+
**IMPORTANT: End the report with this exact footer:**
|
|
15
|
+
```
|
|
16
|
+
---
|
|
17
|
+
*Generated by [VyuhLabs DXKit](https://www.npmjs.com/package/@vyuhlabs/dxkit)*
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
$ARGUMENTS
|
|
@@ -162,6 +162,7 @@ Slash commands for common workflows. Run `/help` to list all with descriptions.
|
|
|
162
162
|
- `/vulnerabilities` - Scan dependencies and code for security issues
|
|
163
163
|
- `/dev-report` - Developer activity and code quality report
|
|
164
164
|
- `/docs` - Audit, write, or improve documentation
|
|
165
|
+
- `/dashboard` - Generate HTML dashboard from all reports
|
|
165
166
|
- `/export-pdf` - Convert markdown reports to PDF
|
|
166
167
|
- `/fix-issue <number>` - Investigate and fix a GitHub issue
|
|
167
168
|
|
|
@@ -184,6 +185,7 @@ Language-specific conventions that activate automatically when editing matching
|
|
|
184
185
|
- `health-auditor` — Comprehensive codebase health audit (sonnet, read-only)
|
|
185
186
|
- `vulnerability-scanner` — Dependency and code vulnerability analysis (sonnet)
|
|
186
187
|
- `dev-report` — Developer activity, quality patterns, security attribution (sonnet)
|
|
188
|
+
- `dashboard-builder` — Generates HTML dashboard from all reports (sonnet)
|
|
187
189
|
- `doc-writer` — Audits docs, identifies gaps, writes/improves documentation (sonnet)
|
|
188
190
|
- `debugger` — Traces root causes systematically (sonnet, no file edits)
|
|
189
191
|
|